IDS on Bridge Mode do not detect private IP attack

Started by hoseinTB, March 05, 2016, 11:06:17 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 05, 2016, 11:06:17 AM
hi

I am using OPNsense in bridge mode.
I want to run IDS/IPS service to protect my trusted network, from private and public ip address attacks.
but as i tested, i need to edit Suricata config file (suricata.yaml) and edit HOME_NET to reach my goal.

after some research i found out that HOME_NET config is an important suricata variable.

So
Why are you not adding HOME_NET config to Web Interface of Intrusion Detection on OPNsense ?


Thanks
Hosein
March 07, 2016, 08:48:55 AM #1
Hi Hosein,

Bridge mode isn't one of the main use cases of a router-based firewall, so naturally we try to work on routing-based features and that works ok without HOME_NET.

However, I think we can add this to an upcoming version as an option, but it'll likely have to be configured manually.


Cheers,
Franco
March 07, 2016, 01:02:12 PM #2
Hi Franco

Thanks for the reply.

Quoteso naturally we try to work on routing-based features and that works ok without HOME_NET.

as i tested in routing mode, if i my red network have Private IP Address ( 192.168.0.0/16) , i should change HOME_NET config to detect attacks from red local network.

so
Am i doing any thing wrong ?


QuoteHowever, I think we can add this to an upcoming version as an option, but it'll likely have to be configured manually.

looking forward to see this option in web interface :)

Regards,
Hosein
March 07, 2016, 01:45:01 PM #3 Last Edit: March 07, 2016, 01:46:44 PM by franco
HOME_NET, generally, is not directly used to designate our home network. It is used to filter out all noise that does not apply to HOME_NET, be it speed optimisation on noisy links or other reasons for filtering out messages that do not apply to your security requirements.

You're still fine without having set HOME_NET, unless you specifically need to exclude traffic from matching.

If you're not seeing alerts when they should come up, it's likely that IDS is misconfigured. Adjusting HOME_NET won't help in these cases. Are you sure IDS is running on the right link, seeing the right traffic?
March 07, 2016, 02:53:50 PM #4 Last Edit: March 07, 2016, 04:50:48 PM by hoseinTB
This is my test senario:


http://sm.uploads.im/E8OeG.png

I run IDS in firewall and enable all scan rules.

after scanning  LAN1 (192.168.1.100) with NMAP, no allert shown in firewall

but after editing HOME_NET like below:
Code Select
//--Original
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"

//--Replace with below line:
HOME_NET: "[192.168.1.0/24,10.0.0.0/8,172.16.0.0/12]"


IDS give me the expected alert for scanning.

so

I think that, Suricata only detect attacks with HOME_NET destination.

is this a true?


Regards,
Hosein


March 07, 2016, 05:10:07 PM #5
Er, thanks for the explanation. HOME_NET is set to 192.168.0.0/16, so EXTERNAL_NET is everything out of that scope. Since both networks are HOME_NET by default, the rules never match. You are right.

You can manually adjust the OPNsense file /usr/local/opnsense/service/templates/OPNsense/IDS/suricata.yaml to reflect your setup and make the settings permanent until the next firmware upgrade is executed.

We'll discuss providing an override to HOME_NET, but in this case I must say it's a setup issue that can be worked around either with the above fix or adjusting one network to fall outside the HOME_NET range.
Print
Go Up Pages1
User actions